Cloud computing won’t involve sensitive federal data

A federal proposal for the use of cloud computing makes it clear that the most sensitive data the government keeps about Canadians won’t be allowed to leave the country.

Only information the government deems “unclassified” — meaning its unauthorized release carries little, if any material or physical harm to the government or individual Canadians — will be allowed to cross the border, bound for cloud computing servers in other countries, under the government’s newly released cloud computing strategy.

When data does leave the country, it must be encrypted, says the strategy that has been in development for more than a year.

Sensitive personal information on Canadians like social insurance numbers and top secret government data will remain on cloud servers in the country so the federal government maintains “sovereign control over its data,” the strategy says.

The government’s central information technology department is already buying up cloud space capable of handling unclassified data, the document says. By this time next year, Shared Services Canada is expected to have bought more cloud space capable of handling more sensitive data, but not information deemed secret or top secret.

The strategy is the result of consultations that began more than two years ago and included more than 60 industry organizations.

The federal government has for years looked at expanding its use of cloud computing as part of an overall push to cut down on the money it spends on its data centres and computer systems.

Rather than paying to build digital infrastructure like servers cloud computing lets governments, businesses and individuals rent digital space on systems owned by providers like Microsoft, Google and Amazon, among others.

The government will only pay for the cloud computing that it needs, the document says.

The strategy leaves it up to departments to decide what mix of cloud computing they use. That will allow federal departments and agencies to choose what the document calls a “right cloud strategy” that includes use of secure public clouds that are available to the public and private sector, private clouds that would be available only to the federal government, and the government’s existing systems.